GameGuardian start failed with Xposed (Samsung/arm64)

[Enyby]

GameGuardian started from version 8.1.0 crashed in boot.oat if Xposed installed. Link to apk: https://gameguardian.net/forum/files/file/2-gameguardian/ Link to error: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43852 Link to logcat: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43851 https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43887 Describe problem: http://forum.xda-developers.com/xposed/unofficial-xposed-samsung-lollipop-t3180960/post64544001

The main change in version 8.1.0 - support for x64, and as a consequence, the use of data type long, instead of int. Rather, it creates problems when compiling ART.

Another logcat: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43930

[Enyby]

Logcats: 5.1.1s6edge.txt 2015-12-29-05-49-17(1).txt 2015-12-30-21-52-05.txt

[Enyby]

How does it work: using ptrace to connect to the process and change his memory.

Nothing special, associated with ART, the application does not comply.

The new version has been modified data handling. Previously int, but since support for x64 had to use long. I think the problem is this.

There is one more observation - if the problem would be in the native code, the logcat would record the start of the application as a native code runs only after the start of the Java code. But it is not. Hence the problem of Java code, or rather its compilation ART.

[Enyby]

Another possible problem - in version 8.1.0 added support v4 library for usage android.support.v4.util.LongSparseArray. It add lot of code to project. May be problem here.

[Enyby]

On version 8.1.2 I removed most of code from support.v4 jar. Only import two classes: android.support.v4.util.ContainerHelpers and android.support.v4.util.LongSparseArray but problem stay same.

Then cause or by these classes or usage long instead of int in some cases.

[Enyby]

Version 8.0.8 worked. But if I remove lib folder then it crashed. In lib folder located ELF executables and one libraray. But this library is hook and don't load in app. It load in target app. GameGuardian can run without libs.

test.zip

Crash data:

Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: unknown
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 3670, tid: 3670, name: rsoft.climbhill  >>> com.fingersoft.climbhill <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8a900000000217
    x0   0000007f7b8933c0  x1   0000007febb66510  x2   0000007f7b8933c0  x3   0000000000000000
    x4   00000000771092b0  x5   0000000000000001  x6   0000000000000000  x7   0000007f7b88a1bc
    x8   0000000000000000  x9   0000007f7b88a1b8  x10  0000000000000000  x11  0000000000000000
    x12  0000000000000000  x13  0000000000430000  x14  0000000000550000  x15  0000000000430000
    x16  0000000000000000  x17  7b8a90000000007f  x18  0000007f7b7fd520  x19  0000000000000060
    x20  0000000073b04020  x21  0000007f7b8a9000  x22  0000007f7b8a9090  x23  0000007febb666e0
    x24  00000000712d3c79  x25  0000007febb666e0  x26  0000007febb666f0  x27  0000007febb66728
    x28  0000007febb66c00  x29  0000007febb66590  x30  0000000073b2f02c
    sp   0000007febb66500  pc   0000000073b04024  pstate 0000000060000000
    v0   00000000000000000000000000000000  v1   00000000000000000000007f7b865560
    v2   00000000000000000000000000000000  v3   00000000000000000000007febb67aa8
    v4   00000000000000000000007febb67a38  v5   00000000000000000000007febb67a98
    v6   00000000000000000000007febb67a28  v7   00000000000000007060993870609938
    v8   00000000000000000000007febb66d18  v9   00000000000000000000000070ee41e8
    v10  00000000000000000000000000000011  v11  00000000000000000000000000200045
    v12  00000000000000000000007f7b8a0400  v13  00000000000000000000007f7b8a0400
    v14  00000000000000000000007febb68438  v15  00000000000000000000000000080000
    v16  00000000000000000000007febb67a18  v17  70609938706099387060993870609938
    v18  70609938706099387060993870609938  v19  70609938706099387060993870609938
    v20  70609938706099387060993870609938  v21  70609938706099387060993870609938
    v22  70609938706099387060993870609938  v23  70609938706099387060993870609938
    v24  70609938706099387060993870609938  v25  70609938706099387060993870609938
    v26  70609938706099387060993870609938  v27  70609938706099387060993870609938
    v28  70609938706099387060993870609938  v29  70609938706099387060993870609938
    v30  000000000000000000000000ebad608e  v31  000000000000000000000000ebad608f
    fpsr 00000010  fpcr 00000000

backtrace:
    #00 pc 0000000000000024  /data/dalvik-cache/arm64/system@framework@boot.oat
    #01 pc 000000000002b028  /data/dalvik-cache/arm64/system@framework@boot.oat

stack:
         0000007febb66400  0000007f7bc00178  [anon:libc_malloc]
         0000007febb66408  0000007f00000001  
         0000007febb66410  0000007f7bc00410  [anon:libc_malloc]
         0000007febb66418  0000007f7b4e0dfc  /system/lib64/libart.so (art::gc::allocator::RosAlloc::AllocFromRun(art::Thread*, unsigned long, unsigned long*)+420)
         0000007febb66420  0000000012f0e320  /dev/ashmem/dalvik-main space (deleted)
         0000007febb66428  0000007f7b8cf0e8  [anon:libc_malloc]
         0000007febb66430  0000007f71003558  [anon:libc_malloc]
         0000007febb66438  0000000000000001  
         0000007febb66440  0000007f7bc001e8  [anon:libc_malloc]
         0000007febb66448  0000007fffffffff  
         0000007febb66450  0000007f7bc001e8  [anon:libc_malloc]
         0000007febb66458  0000007febb669f0  [stack]
         0000007febb66460  000000000000001a  
         0000007febb66468  0000007f7b60d840  /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
         0000007febb66470  0000007febb66590  [stack]
         0000007febb66478  0000000073b2f014  /data/dalvik-cache/arm64/
processName:com.fingersoft.climbhill
broadcastEvent : com.fingersoft.climbhill SYSTEM_TOMBSTONE

[Enyby]

Very odd. I only remove lib files and all start crashes. But libs not necessary to start app. Apk without libs started on any device or emulator. Do not work normally but started.

It is look like serious bug in xposed.

I do not know how deal with it if it not depend of my code, but depend such mysterious thing as present not necessary files.

It is very very odd.

[rovo89]

Strange indeed. On Android 6.0, I couldn't reproduce this issue at all, neither on arm nor on arm64. Unfortunately, I have no other devices. The emulator doesn't work properly for me (due to my AMD CPU, no hardware acceleration is possible) and Genymotion is also running into SIGILL errors lately (as my CPU doesn't understand SSSE3). This will hopefully change soon, but I still need to wait for the new CPU to arrive, then I need to rebuild my PC and finally I'm also planning to set up Windows from scratch. Afterwards, I can hopefully reproduce this and find out more.

Just some things I noticed in the logs:

12-30 21:52:19.079 I/Xposed  (21719): Instrumentation detected, disabling framework for com.rgames.smashywanted
12-30 21:52:19.079 I/InjectionManager(21719): Inside getClassLibPath + mLibMap{0=, 1=}
12-30 21:52:19.079 I/InjectionManager(21719): Inside getClassLibPath caller 

The first line is written when Xposed detects that an app is started with instrumentation, which can cause issues with Xposed. This used to work fine, but maybe there's a bug when it comes to arm64 on Android 5.1.

The other two seem to be from the app. If "getClassLibPath" is referring to the CLASSPATH, then this might interfere with Xposed adding a jar to this variable.

Three other things came into my mind:

1. Could you create a file /data/data/de.robv.android.xposed.installer/conf/disabled to disable all of Xposed's hooking? That would only leave the ART modifications active, which I suspect to be the issue here.
2. Did you have the change to test Xposed v78?
3. If you know how to use objdump, could you check what's at 2b028 in /data/dalvik-cache/arm64/system@framework@boot.oat? The next frame in the stacktrace refers to address 24, which is most likely not correct. Would be good to get a feeling what the system is doing before.

[Enyby]

Application uses Instrumentation to create a context without Activity. However, this may not be the cause of the fall without libraries.

With Classpath application does not interact at all in any way, so there is nothing to say.

As for the other questions, I redirect them to a person who has a problem. I also have no way to reproduce the bug, unfortunately.

[Enyby]

I would like to mention one more feature. All of incidence associated with the same location. 00000217 This suggests an error handling pointer. Here are the logs:

Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: unknown
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 21719, tid: 21719, name: es.smashywanted  >>> com.rgames.smashywanted <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xa900000000217
    x0   0000007f740933c0  x1   0000007fca7ffea0  x2   0000007f740933c0  x3   0000000000000000
    x4   00000000771092b0  x5   0000000000000001  x6   0000000000000000  x7   0000007f7408a1bc
    x8   0000000000000000  x9   0000007f7408a1b8  x10  0000000000000000  x11  0000000000000000
    x12  0000000000000000  x13  0000000000430000  x14  0000000000550000  x15  0000000000430000
    x16  0000000000000000  x17  740a90000000007f  x18  0000007f73ffd520  x19  0000000000000060
    x20  0000000073b04020  x21  0000007f740a9000  x22  0000007f740a9090  x23  0000007fca800070
    x24  00000000712d3c79  x25  0000007fca800070  x26  0000007fca800080  x27  0000007fca8000b8
    x28  0000007fca800590  x29  0000007fca7fff20  x30  0000000073b2f02c
    sp   0000007fca7ffe90  pc   0000000073b04024  pstate 0000000060000000
    v0   00000000000000000000000000000000  v1   00000000000000000000007f74065560
    v2   00000000000000000000000000000000  v3   00000000000000000000007fca801438
    v4   00000000000000000000000000000018  v5   00000000000000000000007fca801428
    v6   00000000000000000000000000000138  v7   00000000000000007060993870609938
    v8   00000000000000000000007fca8006a8  v9   00000000000000000000000070ee41e8
    v10  00000000000000000000000000000011  v11  00000000000000000000000000100045
    v12  00000000000000000000007f740a0400  v13  00000000000000000000007f740a0400
    v14  00000000000000000000007fca801dc8  v15  00000000000000000000000000080000
    v16  00000000000000000000007fca8013a8  v17  70609938706099387060993870609938
    v18  70609938706099387060993870609938  v19  70609938706099387060993870609938
    v20  70609938706099387060993870609938  v21  70609938706099387060993870609938
    v22  70609938706099387060993870609938  v23  70609938706099387060993870609938
    v24  70609938706099387060993870609938  v25  70609938706099387060993870609938
    v26  70609938706099387060993870609938  v27  70609938706099387060993870609938
    v28  70609938706099387060993870609938  v29  70609938706099387060993870609938
    v30  000000000000000000000000ebad608e  v31  000000000000000000000000ebad608f
    fpsr 00000010  fpcr 00000000

backtrace:
    #00 pc 0000000000000024  /data/dalvik-cache/arm64/system@framework@boot.oat
    #01 pc 000000000002b028  /data/dalvik-cache/arm64/system@framework@boot.oat

stack:
         0000007fca7ffd90  0000007f74400178  [anon:libc_malloc]
         0000007fca7ffd98  0000007fffffffff  
         0000007fca7ffda0  0000007f698000c0  [anon:libc_malloc]
         0000007fca7ffda8  0000007f00000001  
         0000007fca7ffdb0  0000007f74400410  [anon:libc_malloc]
         0000007fca7ffdb8  0000007f740cf0e8  [anon:libc_malloc]
         0000007fca7ffdc0  0000007f74005370  [anon:libc_malloc]
         0000007fca7ffdc8  0000000000000001  
         0000007fca7ffdd0  0000007f69803630  [anon:libc_malloc]
         0000007fca7ffdd8  0000007fffffffff  
         0000007fca7ffde0  0000007f69803498  [anon:libc_malloc]
         0000007fca7ffde8  0000007f00000001  
         0000007fca7ffdf0  0000007f744001e8  [anon:libc_malloc]
         0000007fca7ffdf8  0000007f73e0d840  /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
         0000007fca7ffe00  0000007fca7fff20  [stack]
         0000007fca7ffe08  0000000073b2f014  /data/dalvik-cache/arm64/system@framework@boot.oat
         0000007fca7ffe10  0000000000000060  
         0000007fca7ffe18  0000007f73c1ab78  /system/li
processName:com.rgames.smashywanted
broadcastEvent : com.rgames.smashywanted SYSTEM_TOMBSTONE

Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: G925FXXU3COI9
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 13690, tid: 13690, name: m.cnplay.tiles2  >>> com.cnplay.tiles2 <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xca900000000217
    x0   0000007f89c933c0  x1   0000007fe63a5b80  x2   0000007f89c933c0  x3   0000000000000000
    x4   000000007771a1b0  x5   0000000000000001  x6   0000000000000000  x7   0000007f89c8a1bc
    x8   0000000000000000  x9   0000007f89c8a1b8  x10  0000000000000000  x11  0000000000000000
    x12  0000000000000000  x13  0000000000430000  x14  0000000000550000  x15  0000000000430000
    x16  0000000000000000  x17  89ca90000000007f  x18  0000007f89bfd520  x19  0000000000000060
    x20  0000000074115020  x21  0000007f89ca9000  x22  0000007f89ca9090  x23  0000007fe63a5d50
    x24  00000000718e4c79  x25  0000007fe63a5d50  x26  0000007fe63a5d60  x27  0000007fe63a5d98
    x28  0000007fe63a6270  x29  0000007fe63a5c00  x30  000000007414002c
    sp   0000007fe63a5b70  pc   0000000074115024  pstate 0000000060000000
    v0   00000000000000000000000000000000  v1   00000000000000000000007f89c65560
    v2   00000000000000000000000000000000  v3   00000000000000000000007fe63a7118
    v4   00000000000000000000007fe63a70a8  v5   00000000000000000000007fe63a7108
    v6   00000000000000000000007fe63a7098  v7   000000000000000070c1a93870c1a938
    v8   00000000000000000000007fe63a6388  v9   000000000000000000000000714f51e8
    v10  00000000000000000000000000000011  v11  00000000000000000000000000000045
    v12  00000000000000000000007f89ca0400  v13  00000000000000000000007f89ca0400
    v14  00000000000000000000007fe63a7aa8  v15  00000000000000000000000000080000
    v16  00000000000000000000007fe63a7088  v17  70c1a93870c1a93870c1a93870c1a938
    v18  70c1a93870c1a93870c1a93870c1a938  v19  70c1a93870c1a93870c1a93870c1a938
    v20  70c1a93870c1a93870c1a93870c1a938  v21  70c1a93870c1a93870c1a93870c1a938
    v22  70c1a93870c1a93870c1a93870c1a938  v23  70c1a93870c1a93870c1a93870c1a938
    v24  70c1a93870c1a93870c1a93870c1a938  v25  70c1a93870c1a93870c1a93870c1a938
    v26  70c1a93870c1a93870c1a93870c1a938  v27  70c1a93870c1a93870c1a93870c1a938
    v28  70c1a93870c1a93870c1a93870c1a938  v29  70c1a93870c1a93870c1a93870c1a938
    v30  000000000000000000000000ebad608e  v31  000000000000000000000000ebad608f
    fpsr 00000010  fpcr 00000000

backtrace:
    #00 pc 0000000000000024  /data/dalvik-cache/arm64/system@framework@boot.oat
    #01 pc 000000000002b028  /data/dalvik-cache/arm64/system@framework@boot.oat

stack:
         0000007fe63a5a70  0000007f8a000178  [anon:libc_malloc]
         0000007fe63a5a78  0000007fe63a5b68  [stack]
         0000007fe63a5a80  0000007fe63a5c30  [stack]
         0000007fe63a5a88  0000007f898e0dfc  /system/lib64/libart.so (art::gc::allocator::RosAlloc::AllocFromRun(art::Thread*, unsigned long, unsigned long*)+420)
         0000007fe63a5a90  0000000012c6f6e0  /dev/ashmem/dalvik-main space (deleted)
         0000007fe63a5a98  0000007f89ccf0e8  [anon:libc_malloc]
         0000007fe63a5aa0  0000007f89c05e98  [anon:libc_malloc]
         0000007fe63a5aa8  0000000000000001  
         0000007fe63a5ab0  0000007f7f4036d8  [anon:libc_malloc]
         0000007fe63a5ab8  0000007f00000001  
         0000007fe63a5ac0  0000007f8a0001e8  [anon:libc_malloc]
         0000007fe63a5ac8  0000007fffffffff  
         0000007fe63a5ad0  0000007f8a0001e8  [anon:libc_malloc]
         0000007fe63a5ad8  0000007f89a0d840  /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
         0000007fe63a5ae0  0000007fe63a5c00  [stack]
         0000007fe63a5ae8  0000000074140014  /data/dalvik-cach
processName:com.cnplay.tiles2
broadcastEvent : com.cnplay.tiles2 SYSTEM_TOMBSTONE

Build: samsung/nobleltezh/nobleltehk:5.1.1/LMY47X/N9200ZHU2AOKA:user/release-keys
Hardware: universal7420
Revision: 9
Bootloader: N9200ZHU2AOKA
Radio: unknown
Kernel: Linux version 3.10.61-ka-1 (Tron@ubuntu) (gcc version 4.9 20140514 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Dec 11 17:50:03 CST 2015

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/nobleltezh/nobleltehk:5.1.1/LMY47X/N9200ZHU2AOKA:user/release-keys'
Revision: '9'
ABI: 'arm64'
pid: 4831, tid: 4831, name: es.smashywanted  >>> com.rgames.smashywanted <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4a600000000217
    x0   0000007f8a4d6300  x1   0000007fe8eb62f0  x2   0000007f8a4d6300  x3   0000000000000000
    x4   0000000076131300  x5   0000000000000001  x6   0000000000000000  x7   0000007f8a48a7bc
    x8   0000000000000000  x9   0000007f8a48a7b8  x10  0000000000000000  x11  0000000000000000
    x12  0000000000000000  x13  0000000000430000  x14  0000000000550000  x15  0000000000430000
    x16  0000000000000000  x17  8a4a60000000007f  x18  0000007f8a3fd520  x19  0000000000000060
    x20  0000000072a52020  x21  0000007f8a4a6000  x22  0000007f8a4a6090  x23  0000007fe8eb64c0
    x24  0000000070180c7a  x25  0000007fe8eb64c0  x26  0000007fe8eb64d0  x27  0000007fe8eb6508
    x28  0000007fe8eb69e0  x29  0000007fe8eb6370  x30  0000000072a7d0dc
    sp   0000007fe8eb62e0  pc   0000000072a52024  pstate 0000000060000000
    v0   00000000000000000000000000000000  v1   00000000000000000000007f8a465560
    v2   00000000000000000000000000000000  v3   00000000000000000000007fe8eb7880
    v4   00000000000000000000007fe8eb7810  v5   00000000000000000000007fe8eb7870
    v6   00000000000000000000007fe8eb7800  v7   00000000000000006f491df86f491df8
    v8   00000000000000000000007fe8eb6af8  v9   0000000000000000000000006fd85868
    v10  00000000000000000000000000000011  v11  00000000000000000000000000000045
    v12  00000000000000000000007f8a49d400  v13  00000000000000000000007f8a49d400
    v14  00000000000000000000007fe8eb8218  v15  00000000000000000000000000080000
    v16  00000000000000000000007fe8eb77f0  v17  6f491df86f491df86f491df86f491df8
    v18  6f491df86f491df86f491df86f491df8  v19  6f491df86f491df86f491df86f491df8
    v20  6f491df86f491df86f491df86f491df8  v21  6f491df86f491df86f491df86f491df8
    v22  6f491df86f491df86f491df86f491df8  v23  6f491df86f491df86f491df86f491df8
    v24  6f491df86f491df86f491df86f491df8  v25  6f491df86f491df86f491df86f491df8
    v26  6f491df86f491df86f491df86f491df8  v27  6f491df86f491df86f491df86f491df8
    v28  6f491df86f491df86f491df86f491df8  v29  6f491df86f491df86f491df86f491df8
    v30  000000000000000000000000ebad608e  v31  000000000000000000000000ebad608f
    fpsr 00000010  fpcr 00000000

backtrace:
    #00 pc 0000000000000024  /data/dalvik-cache/arm64/system@framework@boot.oat
    #01 pc 000000000002b0d8  /data/dalvik-cache/arm64/system@framework@boot.oat

stack:
         0000007fe8eb61e0  0000007f8a800178  [anon:libc_malloc]
         0000007fe8eb61e8  0000007fffffffff  
         0000007fe8eb61f0  0000007f7f8007c8  [anon:libc_malloc]
         0000007fe8eb61f8  0000007fffffffff  
         0000007fe8eb6200  0000007f7f8004f8  [anon:libc_malloc]
         0000007fe8eb6208  0000007f00000001  
         0000007fe8eb6210  0000007f7f800690  [anon:libc_malloc]
         0000007fe8eb6218  0000007f00000001  
         0000007fe8eb6220  0000007f7f803798  [anon:libc_malloc]
         0000007fe8eb6228  00000000ffffffff  
         0000007fe8eb6230  0000007f7f803600  [anon:libc_malloc]
         0000007fe8eb6238  0000007f00000001  
         0000007fe8eb6240  0000007f8a8001e8  [anon:libc_malloc]
         0000007fe8eb6248  0000007fe8eb67e0  [stack]
         0000007fe8eb6250  0000007fe8eb6370  [stack]
         0000007fe8eb6258  0000000072a7d0c4  /data/dalvik-cache/arm64/system@framework@boot.oat
         0000007fe8eb6260  0000000000000060  
         0000007fe8eb6268  0000007f8a019af8  /system/lib64/libart.so (art::JniMethodStart(art::Thread*))
         0000007fe8eb6270
processName:com.rgames.smashywanted
broadcastEvent : com.rgames.smashywanted SYSTEM_TOMBSTONE

[rovo89]

That doesn't necessarily mean much - after all, the execution somehow jumped to a very low memory address 0x24 from 0x2b0d8. At address 0x24, there might be any kind of instruction which accesses 0x217, but I doubt that the control flow should even get to 0x24. This might be an offset to something (vtable?), and if the object happens to be 0, it might go to this wrong address. That's why it would be interesting to know what's at 0x2b0d8.

There's a lot of guessing involved here though. Knowing answers to my three points above could help to get further information.

[geribabldi]

@rovo, sorry for writing in german

Hallo rovo, ich versuche enyby beim finden des Fehlers zu helfen. Habe die Möglichkeit das ganze an echten geräten zu testen.

Da ich weder vom coden eine Ahnung habe, noch mein schoolenglisch ausreichend ist für Diskussion bitte ich dich mir kurz zu sagen was ich genau tun muss um das zu testen

Bis /data/data/de.robv.android.xposed.installer/conf/disabled

Konnte ich dir folgen objdump musst du mir genau erklären

Zu 1. Muss die datei eine endung haben?

Wie ist die aktuellste version von xposed für s6/edge

Ist echt ärgerlich das ich xposed deisntallieren soll da ich täglich beide apps nutze

Gibt es eine Möglichkeit gameguardian auszugrenzen in den xposed zugriffen?

[Enyby]

@geribabldi

1. Game Guardian does not apply to Xposed. Xposed patch system that breaks start GameGuardian.
2. The forum GG I asked you to send me the file oat. You it was never sent. Send it to me.

[geribabldi]

Installiert habe ich xposed 78.1 custom build by wanam

Installer ist vom juni 3.0 alpha4

Solltest du irgendwelche logcats brauchen sag Bescheid, ich teste das

[geribabldi]

Ich hab das file jetzt wie folgt erstellt

/data/data/de.robv.android.xposed.installer/conf/disabled

Ich nehme an nun start ich mal neu

[Enyby]

I got logcat and both oat and art files. As I see offset 2b028 pointed to # java.net.Authenticator$RequestorType java.net.Authenticator$RequestorType.SERVER FIELDS:0002B028 Authenticator$RequestorType_SERVER:dex_method_desc <0x1BD, 0x1BD, 0x220A> in IDA.

https://www.sendspace.com/file/xjv637

[rovo89]

@geribabldi: Genau, einfach mal diese Datei erstellen und schauen, ob sich etwas ändert. Etwas problematisch ist, dass ich Samsung gar nicht unterstütze, wie du ja selbst schon festgestellt hast.

@Enyby: Thanks. The file has an executable offset of 0x02b2a000 in oatdump, so I added that to 2b028. At position 0x02b55028, I found blr x20, so this might indeed be the call that leads to the failing instruction. It's seems to be a generic JNI wrapper though, which is used by at least these methods:

 22: boolean dalvik.system.VMRuntime.is64Bit() (dex_method_idx=693)
  23: boolean dalvik.system.VMRuntime.isCheckJniEnabled() (dex_method_idx=697)
  24: boolean dalvik.system.VMRuntime.isDebuggerActive() (dex_method_idx=698)
  45: boolean java.lang.Thread.isInterrupted() (dex_method_idx=3563)
  5: boolean java.lang.ref.FinalizerReference.makeCircularListIfUnenqueued() (dex_method_idx=3747)
  5: boolean com.android.org.conscrypt.OpenSSLProvider.nativeCheckWhitelist() (dex_method_idx=805)
  75: boolean android.content.res.AssetManager.isUpToDate() (dex_method_idx=8134)
  13: boolean android.graphics.Movie.isOpaque() (dex_method_idx=11757)
  36: boolean android.graphics.Paint.native_hasTextEffect() (dex_method_idx=11946)
  130: boolean android.graphics.Paint.isElegantTextHeight() (dex_method_idx=11904)
  32: boolean android.graphics.Region.isComplex() (dex_method_idx=12369)
  33: boolean android.graphics.Region.isEmpty() (dex_method_idx=12370)
  34: boolean android.graphics.Region.isRect() (dex_method_idx=12371)
  40: boolean com.android.server.FMPlayerNative.getSoftMuteMode() (dex_method_idx=51007)
  33: boolean com.google.android.gles_jni.EGLImpl.eglReleaseThread() (dex_method_idx=51707)
  36: boolean com.google.android.gles_jni.EGLImpl.eglWaitGL() (dex_method_idx=51710)
  13: boolean com.samsung.location.CellGeofenceProvider.native_init() (dex_method_idx=62005)
  4: boolean android.filterfw.core.GLEnvironment.nativeActivate() (dex_method_idx=10570)
  9: boolean android.filterfw.core.GLEnvironment.nativeAllocate() (dex_method_idx=10575)
  10: boolean android.filterfw.core.GLEnvironment.nativeDeactivate() (dex_method_idx=10576)
  11: boolean android.filterfw.core.GLEnvironment.nativeDeallocate() (dex_method_idx=10577)
  13: boolean android.filterfw.core.GLEnvironment.nativeInitWithCurrentContext() (dex_method_idx=10579)
  14: boolean android.filterfw.core.GLEnvironment.nativeInitWithNewContext() (dex_method_idx=10580)
  15: boolean android.filterfw.core.GLEnvironment.nativeIsActive() (dex_method_idx=10581)
  17: boolean android.filterfw.core.GLEnvironment.nativeIsContextActive() (dex_method_idx=10583)
  20: boolean android.filterfw.core.GLEnvironment.nativeSwapBuffers() (dex_method_idx=10586)
  4: boolean android.filterfw.core.GLFrame.generateNativeMipMap() (dex_method_idx=10603)
  20: boolean android.filterfw.core.GLFrame.nativeDeallocate() (dex_method_idx=10633)
  21: boolean android.filterfw.core.GLFrame.nativeDetachTexFromFbo() (dex_method_idx=10634)
  22: boolean android.filterfw.core.GLFrame.nativeFocus() (dex_method_idx=10635)
  23: boolean android.filterfw.core.GLFrame.nativeReattachTexToFbo() (dex_method_idx=10636)
  24: boolean android.filterfw.core.GLFrame.nativeResetParams() (dex_method_idx=10637)
  11: boolean android.filterfw.core.NativeFrame.nativeDeallocate() (dex_method_idx=10776)
  2: boolean android.filterfw.core.NativeProgram.allocate() (dex_method_idx=10794)
  10: boolean android.filterfw.core.NativeProgram.callNativeInit() (dex_method_idx=10802)
  12: boolean android.filterfw.core.NativeProgram.callNativeReset() (dex_method_idx=10804)
  14: boolean android.filterfw.core.NativeProgram.callNativeTeardown() (dex_method_idx=10806)
  15: boolean android.filterfw.core.NativeProgram.deallocate() (dex_method_idx=10807)
  16: boolean android.filterfw.core.NativeProgram.nativeInit() (dex_method_idx=10810)
  6: boolean android.filterfw.core.ShaderProgram.beginShaderDrawing() (dex_method_idx=10917)
  7: boolean android.filterfw.core.ShaderProgram.compileAndLink() (dex_method_idx=10918)
  9: boolean android.filterfw.core.ShaderProgram.deallocate() (dex_method_idx=10920)
  4: boolean android.filterfw.core.VertexFrame.nativeDeallocate() (dex_method_idx=11040)
  59: boolean android.hardware.Camera.previewEnabled() (dex_method_idx=11828)
  1: boolean android.hardware.usb.UsbRequest.native_cancel() (dex_method_idx=17151)
  9: boolean android.media.JetPlayer.native_clearQueue() (dex_method_idx=21184)
  10: boolean android.media.JetPlayer.native_closeJetFile() (dex_method_idx=21185)
  14: boolean android.media.JetPlayer.native_pauseJet() (dex_method_idx=21189)
  15: boolean android.media.JetPlayer.native_playJet() (dex_method_idx=21190)
  8: boolean android.media.MediaExtractor.advance() (dex_method_idx=21578)
  18: boolean android.media.MediaExtractor.hasCacheReachedEndOfStream() (dex_method_idx=21590)
  106: boolean android.media.MediaPlayer.isLooping() (dex_method_idx=22077)
  107: boolean android.media.MediaPlayer.isPlaying() (dex_method_idx=22079)
  17: boolean android.media.audiofx.AudioEffect.native_getEnabled() (dex_method_idx=23735)
  19: boolean android.media.audiofx.AudioEffect.native_hasControl() (dex_method_idx=23737)
  9: boolean android.media.audiofx.Visualizer.native_getEnabled() (dex_method_idx=24019)
  7: boolean android.os.BinderProxy.isBinderAlive() (dex_method_idx=33455)
  9: boolean android.os.BinderProxy.pingBinder() (dex_method_idx=33457)
  145: boolean com.sec.android.seccamera.SecCamera.previewEnabled() (dex_method_idx=491)

That said, I'm not 100% that the crash really happens inside one of these methods.

Another thing I noticed is that this is a Samsung ROM, are there any non-Samsung reports for this bug? My Xposed builds don't support Samsung, so maybe we should involve @wanam. The "InjectionManager" seems to be their addition as well. The last message is "Inside getClassLibPath caller", which is written by getClassLibPath(int), which is called by LoadedApk.getClassLoader(). Xposed usually does some fiddeling with the classloader, but shouldn't do that when it detects instrumentation. I have no idea whether there's a strange intermediate state on Samsung ROMs in this case.

@wanam: Could you have a look at this please? It seems that you hook nativeCheckWhitelist from the list above, what happens if that hook doesn't work? I remember you wrote something that Xposed hooks must not be disabled, otherwise the ROM won't work. Is it possible that this method has a native implementation with Samsung's libart.so that doesn't exist in AOSP (and hence in Xposed), so when it's called anyway, it crashes? Any further ideas?

[rovo89]

@Enyby By the way, both APKs from the test.zip that you uploaded earlier worked fine for me (on Genymotion), the app could start. There was only a message about a missing library, which makes sense.

[wanam]

@rovo89 Here is opensslprovider.jar from TW LL : https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L238

Samsung has a native implementation of "nativeCheckWhitelist", but i have no idea what's checking inside, we need to hook this method because it sets somehow fips status to true, which causes some crypto algorithms to be disabled, and this causes crashes on some paid apps certificates and any app that uses openssl algos.

So if the native hook does not work, we can still hook both methods that call "nativeCheckWhitelist": https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L283 https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L288

I can't test this myself, since i'm on TW MM, fortunately Samsung removed this crap on his new Android 6 builds.

@Enyby If you want to give it a try i can post a modified XposedBridge with both hooks to avoid this native hook: https://github.com/wanam/XposedBridge/blob/art/src/de/robv/android/xposed/SamsungHelper.java#L56

[Enyby]

@rovo89 In code I use only one method from listed: java.lang.Thread.isInterrupted(). But I used it early version before without problem. Another two methods is very common: android.os.BinderProxy.isBinderAlive(), android.os.BinderProxy.pingBinder() and can be called by system code on usage any system service.

Both apk work on me (all my emulators and devices), but one crashes on target (Some Samsung device as far as I know). I can not explain why.

@wanam I can not have device to test it. But if you post this - I write about that peoples who have this problem. Maybe someone test it and help us.

[rovo89]

@wanam I don't think that would help, as no hooks are executed when instrumentation is detected. The question is rather whether this crash could be caused by a call to the native method or if the crash for that would look differently. I'm wondering a bit where the native method would usually be implemented. Is it in their libart.so?

@Enyby Can you say something about the devices that you got reports for? Only Samsung Lollipop or others as well?

[wanam]

@rovo89 i think it's on their "libjavacrypto.so". I don't have a copy of it right now, but i can get it for you if need to take a look at it.

[Enyby]

@rovo89 As far I know - only Samsung Lollipop. List of Samsung devices:

5.1.1: Galaxy Note 6 Galaxy S6 SM-G920F SM-G925F S6 Edge Note 5

5.0.x: Galaxy Grand Prime

[Enyby]

On oat file uploaded early useed Xposed 74 bld 20150915. May be this info can help in something.

[wanam]

@rovo89 I can confirm it's on "libjavacrypto.so": https://www.dropbox.com/s/pv6nunt9ydw0qkf/libjavacrypto.so?dl=0

[Enyby]

Libs from problem device (Samsung Galaxy S6 SM-G920F), same as oat file above: https://www.sendspace.com/file/twd825 May be it can help.

[rovo89]

OK, so the implementation of nativeCheckWhitelist() should still be there, but I could imagine it crashes if it's not initialized properly (due to the replaced ART libraries and some hooks that might have been executed earlier). Is it possible that this happens only on arm64 devices where GameGuardian simply didn't run earlier? I.e. it didn't break things that worked before?

I have verified that hooking a native method and then disabling all hooks (like done when instrumentation is detected) works fine, it reverts to the original native implementation and doesn't crash. So there's not a general issue with hooking native methods.

I'd like to see if disabling Xposed for instrumented apps is indeed the cause of the crash. Would it be possible for you, @Enyby, to create a test build without instrumentation? I think it would just need to start, if that is possible. Otherwise, @wanam could try to disable the instrumentation detection in Xposed. I'm not sure of the consequences of that though, it has been in Xposed for more than 2.5 years (#2).

[wanam]

@Enyby here is a test version (same as v79.0) with instrumentation detection disabled for Samsung LL Roms: https://www.dropbox.com/sh/9tj8p2wdq1x01hp/AACJX6fbr2JL6C0HsH28wTuZa?dl=0

[Enyby]

As I said, the previous version worked. Problems arose when the new version.

I build test version without Instrumentation. https://www.sendspace.com/file/990isf

[rovo89]

As I said, the previous version worked.

You wrote that you added arm64 support in 8.1.0. I assume that if your app ran before on those devices, it was executed in 32-bit mode, which doesn't seem to run into these issues. Or am I missing something?

Anyway, could you please get someone to test these builds? I can't reproduce the issue myself.

[Enyby]

App consist of two parts - Java code (independent to arch and do not use any native code) and daemon (ELF executable to needed arch. Executable, not library).

Crash caused by Java part not by daemon. Then does not matter daemon 32-bit or 64-bit.

Or so I hope. Perhaps there comes some kind of analysis of the lib file, which breaks all.

I write in three place about this test builds. May be someone test it. If I give any feedback I am immediately write about that.

[Enyby]

There are test results. The test build of GameGuardian without Instrumentation starts.

Then problem on Instrumentation or something related.

[Enyby]

Refine your test. The test assembly Xposed solve the problem.

[wanam]

@Enyby Which one?

[Enyby]

xposed-v79.1-sdk22-arm64-custom-build-by-wanam-20160120

[rovo89]

@wanam Just to be sure, how exactly did you disable the instrumentation test?

[wanam]

@rovo89 I added a condition to ignore this portion of code when it is a Samsung Rom: https://github.com/wanam/XposedBridge/blob/art/src/de/robv/android/xposed/XposedBridge.java#L159-L164

@Enyby You mean the one i posted on my previous post with instrumentation detected disabled? i tough you said it didn't work! https://www.dropbox.com/sh/9tj8p2wdq1x01hp/AACJX6fbr2JL6C0HsH28wTuZa?dl=0

Or the other build i posted on my xda thread: https://www.dropbox.com/sh/7yukadu71uopm41/AAAYD-V1WhAwBnPCWypfudNFa?dl=0

Unfortunately i did post both of them with the same files names. In the last build i reverted the 2 commits: https://github.com/wanam/android_art/commit/380f036069b422413478f6dd7862aca67965edcb https://github.com/wanam/android_art/commit/4e5d44f964e1259b7e91c5f278fc0a258e387e99

[Enyby]

I mean file from dropbox. Firstly user try my test build gg on it but I thought he use normal gg. But later we resolve this misunderstanding and he test latest normal gg and it worked.

[Enyby]

I do not know about xda version of test build.

[wanam]

Ok then it is just related to the instrumentation detection.

[geribabldi]

Enyby, im reenabled xposed today. Same crashes with official 8.1+ versions.

But the test version you have uploaded on https://m.sendspace.com/file/990isf works a little bit. The deamon still works. I can start gg, the first window (with donate, start, test button) will showing up, but if i press start, nothing happend.

[geribabldi]

The dropbox links with testversions for xposed are outdated

[wanam]

Try v79.1 here: http://forum.xda-developers.com/showthread.php?p=62377731

[rovo89]

Ok, so let me summarize:

• The crash seems to happen inside Samsung's nativeCheckWhitelist() method.
• It seems to be limited to arm64. The addition of arm64 libs in GameGuardian 8.1.0 might have caused Android to run the app in 64-bit mode (vs. the compatiblity 32-bit mode that it probably runs in when only arm libs exist).
• This method isn't working correctly on AOSP-based (vs. Samsung stock) ART libs anyway, hence @wanam has hooked it to always return false.
• However, this hook (and all others) is disabled when Xposed detects that the app is being instrumented. See https://github.com/rovo89/XposedBridge/pull/2 (especially the XDA link) why this is necessary.
• Therefore, the native method is actually executed and crashes.
• Disabling the instrumention check fixes it for GameGuardian, possibly because the instrumention uses the same classloader as the app. It might break other scenarios though, unless the app startup code has been changed in this aspect in newer Android versions.

From my point of view, it's ok if @wanam disables the instrumentation check for Samsung ROMs as a temporary solution. This doesn't seem to be necessary on other devices, so I don't want to do this in my source tree. For the future, I will open an additional issue in the XposedBridge project to investigate whether Xposed can properly support instrumented apps. This has rather low priority for me though.

Any further comments/objections/doubts or can this issue be closed?

[Enyby]

I think it can be closed.

[wanam]

Yes it can be closed. I will keep the change for Samsung roms only: https://github.com/wanam/XposedBridge/commit/75576502da6570ea4cb489998be2e7e3b19417f3

[meeramen]

what about me bro i have mi A2 what i can do to fix it